I've pushed the code to perform the KNOB attack also when the Nexus 5 is the Bluetooth slave responding to the first LMP packet. To switch between different attack modes have a look at the updated README.
For more information visit knobattack.com
The code that we developed to validate and brute force E0 encryption keys is online.
The slides of my KNOB attack SEC19 talk are also online. As we can see from the slides, the KNOB attack is not conducted while two Bluetooth devices are pairing, but when two devices are connecting (establishing a new encrypted session). Bluetooth (BR/EDR) is a technology with a pair-once connect-multiple-times paradigm. For example, you pair your smartphone with your car once, and then every day you connect the two and the devices negotiate a new (fresh) encryption key.
Our KNOB repository is online, and it includes our PoC.
For more information visit knobattack.com
The camera-ready version of Nearby Threats: Reversing‚ Analyzing‚ and Attacking Google's “Nearby Connections” on Android is available here
We also released a proof of concept code to perform the Soft AP manipulation attack. The code was previously disclosed to Google. In summary, the attack allows a malicious Nearby Connections server (advertiser) to redirect a client to a malicious Internet connected access point. As a result the attacker can reconfigure the wireless network interface of the victim via DHCP and gets access to all the Wi-Fi traffic (even traffic from non Nearby Connections applications).
I recently open-sourced the code that I developed for the MiniCPS challenges for the SWaT Security Showdown (S3) event in 2017.
Here is the code.
The init.sh contains the list of commands that I run on a local testing machine and on the remote AWS instances that we used during the event. The attackers were provided with the VPN credentials to access two different subnetworks in a mixed MiniCPS simulation eg: water treatment (SWaT) and water distribution (WaDI).